CVE-2013-2275 (Incorrect Default Report ACL Vulnerability)

  • Posted March 12, 2013

  • This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The defaults in auth.conf have been changed as follows:
    Previous setting:
        # allow all nodes to store their reports
        path /report
        method save
        allow *
    
    Revised setting:
        # allow all nodes to store their reports
        path ~ ^/report/([^/]+)$
        method save
        allow $1
    

    Status

    • Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2
    Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.